Network devices including firewalls, routers, load balancers, intrusion detection systems or intrusion prevention systems (IDS/IPSes), web application firewalls (WAFs) and network address translators (NATs) can be employed to control network traffic. Such network devices can, for example, be configured to block certain network traffic, allow certain network traffic, modify certain network traffic (e.g., removing or disarming malware in a payload of a HTTP packet, etc.), route certain network traffic, and allocate bandwidth for certain network traffic. Such devices, which can control network traffic, are also commonly referred to as policy enforcement points (PEPs).
Such a network device is configured in a manner and format that is compatible with the network device. Accordingly, the specific commands or data used to configure a network device may vary among the various network devices according to the requirements of each network device. Such network devices, however, are typically configured with a set of device-specific rules that indicate how various network traffics that are encountered are to be handled. Such a rule typically provides a criteria for identifying certain network traffic and an action to be performed when network traffic satisfying the criteria is encountered. The criteria is typically specified in terms of one or more sources, destinations and/or service types (e.g., ICMP, HTTP, SMTP, etc.) of network traffic, and the action to be taken is generally one of allowing, blocking, modifying, routing, allocating bandwidth, or another action that can be applied to network traffic as is known to one skilled in the art. Each source or destination of the network traffic is typically specified using a network address such as an Internet Protocol (IP) address, media access control (MAC) address, or another network address format as is known to one skilled in the art.
Conventionally, a network administrator logs into a network device and configures the network device by specifying one or more device-specific rules. In expressing the rules, network devices generally allow a source or destination of network traffic to be identified using explicit network addresses (e.g., such as IP address 10.10.10.10). For example, a rule such as “allow 10.10.10.10” may be specified for a firewall to configure the firewall to allow traffic to or from a computer having network address 10.10.10.10 to pass through the firewall. Additionally, network devices commonly provide a convenience mechanism that allows a network administrator to create an object to reference one or more explicit network addresses which can then be used in rules in place of the explicit network addresses. For example, a network administrator may first specify an object named white_list to refer to IP addresses 10.10.10.10 and 10.10.10.20 and then specify a rule such as “allow white_list” to allow traffic to and from computers having network addresses referenced in the white_list to pass through the firewall. Such objects are referred to as “object groups” on Cisco firewall products, as “address sets” on Juniper firewall products, and by other names on other network devices as is known to one skilled in the art. Such objects used in network devices are referred to herein as device-specific objects.
In addition to specifying device-specific rules that can be applied to all traffic to or from a particular network address, device-specific rules may also be specified more specifically so that a device-specific rule applies only to traffic originating from certain sources and/or destinations. For example, a rule such as “allow source_list destination_list” may be specified for a firewall to configure the firewall to allow any traffic originating from any network address listed in the source_list device-specific object to any network address listed in the destination_list device-specific object to pass through the firewall. As is known to one skilled in the art, device-specific rules can take a variety of forms on the various network devices and may be expressed using multiple device-specific objects.
Conventionally, once a network device is configured with device-specific objects and device-specific rules, such objects and rules remain static (i.e., unchanged) until the network device is reconfigured by a network administrator. For example, if a firewall is configured with a white_list device-specific object and the firewall is further configured to allow only traffic to and from the network addresses listed in the white_list to pass through the firewall, a network administrator will have to log into the firewall and update the set of network addresses referenced by the white_list device-specific object each time the administrator wants to allow additional traffic or eliminate certain traffic from passing through the firewall.
In the past, such static nature of device-specific objects and device-specific rules was not a major issue since the set of sources and destinations of network traffic that an administrator needed to be concerned with changed infrequently. But in recent years, with greater utilization of virtual machines and cloud services, the set of sources and destinations of network traffic that an administrator needs to be concerned with has started to change with greater frequency and irregularity. With virtual machines and cloud services, sources and destinations of network traffic can be easily, quickly or unexpectedly added, removed or migrated (such as from one virtual or physical machine to another). Accordingly, the set of sources and destinations of network traffic that a network administer needs to be concerned with has become more dynamic in recent years and has increased the burden on network administrators to re-configure network devices to keep pace with a frequently changing set of sources and destinations of network traffic.
As an example, by utilizing a cloud service such as Amazon Web Services (AWS) to host game servers, a game company can conveniently and quickly provision additional game servers or remove existing game servers from AWS as user demand for its game services changes throughout the course of a day or a week. But if those game servers need to access user data in a database server that is protected by a firewall, a network administrator will need to reconfigure the firewall each time a new game server is added in AWS so that network traffic to and from the new server will be allowed to pass through the firewall. Such a burden placed on the network administrator could be bypassed by configuring the firewall initially to accept network traffic indiscriminately from a range of IP addresses that could be assigned to new game servers by AWS. But configuring a firewall to allow network traffic from a greater range of IP addresses than is minimally required renders the resources being protected by the firewall more vulnerable to security threats.
In another example, if a firewall is to be configured to allow only network traffic to and from computers being utilized by authorized users to pass through the firewall, the firewall will need to be reconfigured each time an authorized user utilizes a new computer or each time the computer being utilized by an authorized user takes on a new network address. In recent years, however, with the introduction of a greater variety of mobile computing devices, a user can now access numerous computing devices in a course of a day and computing devices can frequently change network addresses as computing devices are moved from one location to another. In today's dynamic computing environment, requiring a network administrator to reconfigure the firewall each time an authorized user utilizes a different computing device or each time the computer being utilized by the authorized user takes on a new network address would be extremely burdensome.
Accordingly, what is needed is a way to reconfigure network devices automatically when relevant sources and destinations of network traffic are added, removed or migrated in a network.